[go: up one dir, main page]

US10452564B2 - Format preserving encryption of object code - Google Patents

Format preserving encryption of object code Download PDF

Info

Publication number
US10452564B2
US10452564B2 US15/496,287 US201715496287A US10452564B2 US 10452564 B2 US10452564 B2 US 10452564B2 US 201715496287 A US201715496287 A US 201715496287A US 10452564 B2 US10452564 B2 US 10452564B2
Authority
US
United States
Prior art keywords
object code
instructions
encrypted
list
fpe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/496,287
Other versions
US20180309569A1 (en
Inventor
Luther Martin
Timothy Roake
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Micro Focus LLC
Original Assignee
EntIT Software LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EntIT Software LLC filed Critical EntIT Software LLC
Priority to US15/496,287 priority Critical patent/US10452564B2/en
Assigned to ENTIT SOFTWARE LLC reassignment ENTIT SOFTWARE LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ROAKE, TIMOTHY, MARTIN, LUTHER
Assigned to ENTIT SOFTWARE LLC reassignment ENTIT SOFTWARE LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ROAKE, TIMOTHY, MARTIN, LUTHER
Publication of US20180309569A1 publication Critical patent/US20180309569A1/en
Assigned to MICRO FOCUS LLC reassignment MICRO FOCUS LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: ENTIT SOFTWARE LLC
Publication of US10452564B2 publication Critical patent/US10452564B2/en
Application granted granted Critical
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY AGREEMENT Assignors: BORLAND SOFTWARE CORPORATION, MICRO FOCUS (US), INC., MICRO FOCUS LLC, MICRO FOCUS SOFTWARE INC., NETIQ CORPORATION
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY AGREEMENT Assignors: BORLAND SOFTWARE CORPORATION, MICRO FOCUS (US), INC., MICRO FOCUS LLC, MICRO FOCUS SOFTWARE INC., NETIQ CORPORATION
Assigned to NETIQ CORPORATION, MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), MICRO FOCUS LLC reassignment NETIQ CORPORATION RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522 Assignors: JPMORGAN CHASE BANK, N.A.
Assigned to NETIQ CORPORATION, MICRO FOCUS LLC, MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.) reassignment NETIQ CORPORATION RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041 Assignors: JPMORGAN CHASE BANK, N.A.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • H04L2209/38

Definitions

  • Object code is used to execute instructions via a processor. In some instances, such object code is sensitive, and in need of protection.
  • FIG. 1 is a block diagram illustrating one example of a system for format preserving encryption of object code.
  • FIG. 2 is a flow diagram illustrating one example of a method for format preserving encryption of object code.
  • FIG. 3 is a block diagram illustrating one example of a computer readable medium for format preserving encryption of object code.
  • Object code specifies executable instructions for a processor.
  • Object code may be utilized to program a variety of computer-based applications. In many instances, such applications may be directed to handle sensitive data. Accordingly, any malicious manipulation of the instructions may result in an unauthorized access to sensitive data, cause applications to fail, and/or direct applications to perform in an unintended manner.
  • object code may be protected via protocols that safeguard and protect the confidentiality of the sensitive code.
  • additional protocols may require additional resources that may still be vulnerable to attack from hostile elements. Accordingly, there is a need to improve security of the object code with a minimal impact on businesses that must process such object code.
  • format preserving encryption of object code is disclosed.
  • One example is a system including at least one processor and a memory storing instructions executable by the at least one processor to identify object code to be secured, where the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters.
  • a format preserving encryption (FPE) is applied to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions.
  • An encrypted object code is provided to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
  • FIG. 1 is a functional block diagram illustrating one example of a system 100 for format preserving encryption of object code.
  • System 100 is shown to include a processor 102 , and a memory 104 storing instructions 106 - 110 to perform various functions of the system.
  • system may be used to refer to a single computing device or multiple computing devices that communicate with each other (e.g. via a network) and operate together to provide a unified service.
  • the components of system 100 may communicate with one another over a network.
  • the network may be any wired or wireless network, including a network of cloud computing resources, and may include any number of hubs, routers, switches, cell towers, and so forth.
  • Such a network may be, for example, part of a cellular network, part of the internet, part of an intranet, and/or any other type of network.
  • Memory 104 may store instructions 106 to identify object code to be secured, where the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters.
  • the code may be in structured form, and may need to be secured so as to prevent malicious use of the code.
  • object code comprises a sequence of instructions, each of which in turn may comprise a sequence starting with a valid opcode and continuing with zero or more parameters.
  • An instruction may be represented as: OpCode, Parm 1 , Parm 2 , . . . , Parm n , where “Parm” denotes a parameter value.
  • the instructions 106 may include instructions to parse the object code to identify the list of instructions, along with respective opcodes and respective parameters.
  • the instructions 106 may include instructions to identify an instruction format for the list of instructions.
  • one format is a Microprocessor without Interlocked Pipelined Stages (MIPS) format which is a reduced instruction set computer (RISC) instruction set.
  • MIPS Microprocessor without Interlocked Pipelined Stages
  • RISC reduced instruction set computer
  • the MIPS instruction set provides machine code where each instruction is 32 bits long.
  • the instruction is given by an operation code (opcode) field.
  • the instruction format may be one of an R-type, an I-type, and a J-type instruction.
  • An I-type instruction is an immediate instruction
  • a J-type instruction is a jump instruction.
  • R-type instructions are register instructions.
  • the object code has a structure that resembles opcode, register, register, register, and shift.
  • the R-type instructions may include an additional parameter, a function value funct, that determines an exact operation to be performed.
  • Memory 104 may store instructions 108 to apply a format preserving encryption (FPE) to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions.
  • a format-preserving encryption function E may be applied to cryptographically obfuscate the list of instructions in a way that preserves their respective formats. For example, the function E may be applied to each instruction in turn, producing the sequence E(OpCode), E(Parm 1 ), E(Parm 2 ), . . . , E(Parm n ), mapping the original opcode to another valid opcode, the original first parameter to another valid first parameter, and so forth. Determining the original object code from the encrypted source code may be as difficult as reversing the encryption operation E, which may be near impossible.
  • the instructions 108 may include instructions to identify a sub-plurality of the list of instructions, where only the sub-plurality of the list of instructions needs to be secured. For example, certain instructions in the list of instructions may be directed to handling and/or processing sensitive information. Accordingly, these instructions may be encrypted, whereas the other instructions may be unencrypted.
  • some parameters may be representative of highly confidential data, and it may be necessary to secure such parameters.
  • a subset of all the fields may include sensitive information to be encrypted.
  • one or more registers, or the shift or the function value may be encrypted. Therefore, in some examples, it may be more cost effective to encrypt a portion of the object code.
  • FPE is a mode of advanced encryption standard (AES) encryption.
  • AES advanced encryption standard
  • it may be an AES encryption as described by the NIST SP800-38G Standard and accepted by the PCI Security Standards Council (SSC) as strong encryption.
  • SSC PCI Security Standards Council
  • the instructions 108 may include instructions to identify a computing architecture associated with the object code, and select the FPE to be compatible with the identified architecture.
  • system 100 may generate a call such as “FPE encrypt Intel instruction object code,” or “FPE encrypt MIPS instruction object code,” based on a computing architecture, where the call summons the correct encryption format that is compatible with the architecture.
  • the FPE may depend on the way the object code is parsed based on the specific architecture. In other words, the architecture may dictate the manner in which an instruction set is structured. In some examples, the FPE may depend on the encryption function, E, which may generally be selected based on the parsed object code. In some examples, the FPE may depend on a type of processor, and a class of opcode that is generated on the processor.
  • the computing architecture may be based on processor speed, or connections between a central processing unit (CPU) and a memory. In some examples, the computing architecture may be a parallel or distributed architecture.
  • the processor may be an Advanced RISC Machines (ARM) architecture.
  • ARM Advanced RISC Machines
  • the processor may be an Intel architecture.
  • each encryption generates a different value. For example, when a name is encrypted, an encrypted output is generated along with a random (RAND) value that was used to encrypt the name.
  • RAND random
  • the RAND value may change each time an encryption algorithm is applied, so the encrypted output may vary each time the encryption algorithm is applied.
  • a tweak is a non-random value that may be used to give ciphertext variability.
  • the encryption may be performed by mapping a sector to another sector, thereby preserving the format.
  • the tweak may be a block number and sector number for the hard drive. Accordingly, upon application of an encryption algorithm, a different value may be obtained for a sector each time an encryption algorithm is applied to the sector. This provides a form of variability, while preserving the format.
  • a random value in a random encryption scheme is called an initialization vector (IV).
  • IV initialization vector
  • a tweak is a way to use a non-random value to get the same property as when an IV is used. Although, a tweak is generally more complicated than an IV, the tweak provides the same type of security.
  • the FPE may be deterministic
  • the instructions 108 may include instructions to identify an offset into a file for each instruction of the list of instructions, and utilize the offset as a tweak for the deterministic encryption.
  • the tweak is a block number and sector number
  • an object code has an offset into the file for each instruction. This non-random value may be utilized as the tweak.
  • Memory 104 may store instructions 110 to provide the encrypted object code to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
  • the format of the object code is preserved during encryption, substantial cost savings may be achieved since existing systems continue to process the object code without additional modifications. For example, storage of the code, transmission of the code, execution of the code, so forth may be based on a specific format of the object code. Such processing systems expect the object code to be in a form comprising a specific format. Accordingly, when the encrypted object code is provided in the same format, the systems may be agnostic to the transformation of the underlying code, and continue to process the code without changes in processor logic or other systems configurations. Accordingly, existing systems are able to process the output code since the format may be preserved.
  • the instructions 110 may include instructions to receive a decryption key from the service provider, confirm validity of the decryption key, and enable the service provider to execute the object code based on the valid decryption key to be applied to the encrypted object code.
  • the service provider may include a cryptographic process that decrypts the encrypted object code with the help of a key, and then executes the decrypted or original object code. So the encrypted object code is a valid code, but may only be executed if the service provider has access to the key that was used encrypt the object code.
  • the object code may be a smart contract in a blockchain
  • the instructions 110 may include instructions to store the encrypted smart contract in the blockchain.
  • a blockchain generally refers to a distributed database that maintains a dynamic linked list of online records that are called blocks. The blocks are timestamped and arranged in a linked chain. The record may be that of a financial transaction between parties, and the blockchain records such transactions in an open accessible and verifiable manner.
  • a smart contract is a digital contractual clause that may be embedded in a blockchain to facilitate a financial transaction. Since the smart contract is a computer protocol, it is comprised of executable object code. Also, financial transactions may be of a sensitive nature. Accordingly, the technology described herein may be applied to the smart contract to generate an encrypted smart contract, which is then embedded in the blockchain. This prevents unauthorized access and use of the smart contract. An authorized user may use a decryption key to unlock the encryption and execute the smart contract. As a result, privacy of a smart contract may be preserved while allowing the smart contract to be executed as needed.
  • the components of system 100 may include programming and/or physical networks to be communicatively linked to other components of each respective system.
  • the components of each system may include a processor and a memory, while programming code is stored on that memory and is executable by a processor to perform designated functions.
  • a computing device may be, for example, a web-based server, a local area network server, a cloud-based server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, a mobile phone, an electronic book reader, or any other electronic device suitable for provisioning a computing resource to perform a unified visualization interface.
  • the computing device may include a processor and a computer-readable storage medium.
  • FIG. 2 is a flow diagram illustrating one example of a method for format preserving encryption of object code.
  • such an example method may be implemented by a system such as, for example, system 100 of FIG. 1 .
  • the method 200 may begin at block 202 , and continue to end at block 212 .
  • object code to be secured may be received.
  • the object code may be parsed to identify a list of instructions, where each instruction comprises an opcode and zero or more parameters.
  • a format preserving encryption may be applied to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions.
  • the encrypted object code may be provided to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
  • the method may include identifying an instruction format for the list of instructions.
  • the method may include identifying a computing architecture associated with the object code, and selecting the FPE to be compatible with the identified architecture.
  • the method may include receiving a decryption key from the service provider, confirming validity of the decryption key, and enabling the service provider to execute the object code based on the valid decryption key to be applied to the encrypted object code.
  • the FPE is deterministic
  • the method may include identifying an offset into a file for each instruction of the list of instructions, and utilizing the offset as a tweak for the deterministic encryption.
  • the object code is a smart contract in a blockchain
  • the method may include storing the encrypted smart contract in the blockchain.
  • FIG. 3 is a block diagram illustrating one example of a computer readable medium for format preserving encryption of object code.
  • Processing system 300 includes a processor 302 , a computer readable medium 304 , input devices 306 , and output devices 308 .
  • Processor 302 , computer readable medium 304 , input devices 306 , and output devices 308 are coupled to each other through a communication link (e.g., a bus).
  • the non-transitory, computer readable medium 304 may store configuration data for the logic to perform the various functions of the processor 302 .
  • Processor 302 executes instructions included in the computer readable medium 304 that stores configuration data for logic to perform the various functions.
  • Computer readable medium 304 stores configuration data for logic 312 to identify a list of instructions in an object code to be secured, each instruction comprising an opcode and zero or more parameters.
  • Computer readable medium 304 stores configuration data for logic 314 to apply a format preserving encryption (FPE) to the received object code, where the FPE is applied separately to each instruction in the list of instructions, to generate an encrypted object code comprising a list of encrypted instructions.
  • FPE format preserving encryption
  • Computer readable medium 304 stores configuration data for logic 316 to provide the encrypted object code to a service provider.
  • the computer readable medium 304 stores configuration data for logic to enable execution of the object code based on a valid decryption key to be applied to the encrypted object code.
  • the FPE is deterministic
  • the computer readable medium 304 stores configuration data for logic to identify an offset into a file for each instruction of the list of instructions, and utilize the offset as a tweak for the deterministic encryption.
  • the object code is a smart contract in a blockchain
  • the computer readable medium 304 stores configuration data for logic to store the encrypted smart contract in the blockchain.
  • a “computer readable medium” may be any electronic, magnetic, optical, or other physical storage apparatus to contain or store information such as executable instructions, data, and the like.
  • any computer readable storage medium described herein may be any of Random Access Memory (RAM), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., a hard drive), a solid state drive, and the like, or a combination thereof.
  • RAM Random Access Memory
  • volatile memory volatile memory
  • non-volatile memory non-volatile memory
  • flash memory e.g., a hard drive
  • solid state drive e.g., a solid state drive, and the like, or a combination thereof.
  • the computer readable medium 304 can include one of or multiple different forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage containers.
  • semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories
  • magnetic disks such as fixed, floppy and removable disks
  • optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage containers.
  • various components of the processing system 300 are identified and refer to a combination of hardware and programming to perform a designated visualization function.
  • the programming may be processor executable instructions stored on tangible computer readable medium 304
  • the hardware may include Processor 302 for executing those instructions.
  • computer readable medium 304 may store program instructions that, when executed by Processor 302 , implement the various components of the processing system 300 .
  • Such computer readable storage medium or media is (are) considered to be part of an article (or article of manufacture).
  • An article or article of manufacture can refer to any manufactured single component or multiple components.
  • the storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.
  • Computer readable medium 304 may be any of a number of memory components capable of storing instructions that can be executed by processor 302 .
  • Computer readable medium 304 may be non-transitory in the sense that it does not encompass a transitory signal but instead is made up of memory components to store the relevant instructions.
  • Computer readable medium 304 may be implemented in a single device or distributed across devices.
  • processor 302 represents any number of processors capable of executing instructions stored by computer readable medium 304 .
  • Processor 302 may be integrated in a single device or distributed across devices.
  • computer readable medium 304 may be fully or partially integrated in the same device as processor 302 (as illustrated), or it may be separate but accessible to that device and processor 302 .
  • computer readable medium 304 may be a machine-readable storage medium.
  • the general techniques described herein provide a way to apply format preserving encryption to an object code.
  • One benefit of the techniques described herein is that the format of the object code is preserved during encryption. This makes it useful for the encrypted object code to be processed in many legacy environments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Accounting & Taxation (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Format preserving encryption of object code is disclosed. One example is a system including at least one processor and a memory storing instructions executable by the at least one processor to identify object code to be secured, where the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters. A format preserving encryption (FPE) is applied to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions. An encrypted object code is provided to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.

Description

BACKGROUND
Object code is used to execute instructions via a processor. In some instances, such object code is sensitive, and in need of protection.
BRIEF DESCRIPTION OF THE DRAWINGS
Some implementations of the present disclosure are described with respect to the following figures.
FIG. 1 is a block diagram illustrating one example of a system for format preserving encryption of object code.
FIG. 2 is a flow diagram illustrating one example of a method for format preserving encryption of object code.
FIG. 3 is a block diagram illustrating one example of a computer readable medium for format preserving encryption of object code.
 DETAILED DESCRIPTION
Object code specifies executable instructions for a processor. Object code may be utilized to program a variety of computer-based applications. In many instances, such applications may be directed to handle sensitive data. Accordingly, any malicious manipulation of the instructions may result in an unauthorized access to sensitive data, cause applications to fail, and/or direct applications to perform in an unintended manner.
In many instances, object code may be protected via protocols that safeguard and protect the confidentiality of the sensitive code. Such additional protocols may require additional resources that may still be vulnerable to attack from hostile elements. Accordingly, there is a need to improve security of the object code with a minimal impact on businesses that must process such object code.
In some instances, it may be desirable to only permit authorized end-users to have the ability to execute the object code. Traditional methods may be utilized to prevent software from being reverse-engineered. However, such traditional methods often rely on techniques that are not cryptographically robust. Accordingly, there is a need to obfuscate the object code using cryptographically robust methods. Also, in order to maintain compatibility with existing object code processing systems, it is desirable to maintain the structure of the object code. Accordingly, format-preserving encryption may be applied to the object code, where the structure of the object code is preserved.
As described in various examples herein, format preserving encryption of object code is disclosed. One example is a system including at least one processor and a memory storing instructions executable by the at least one processor to identify object code to be secured, where the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters. A format preserving encryption (FPE) is applied to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions. An encrypted object code is provided to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
As described herein, format preserving encryption of object code solves a problem necessarily rooted in technology. Executable object codes are ubiquitous. In many instances, such executable object code may be utilized to initiate, control, manage sensitive computer applications or otherwise transmit sensitive data. Executable object code may be manipulated, modified or otherwise hacked to alter its instructions. Such unauthorized activities directed at intercepting, modifying, misdirecting, and/or misusing such highly sensitive code need to be stopped. Accordingly, the techniques disclosed herein solve a technological problem of securing such sensitive object codes. In performing these security enhancements, the functioning of the computer is enhanced as well, since existing systems do not have to be modified to receive the encrypted object code, since its format is preserved during the encryption process. The technology described herein may be applied within large connected networks of computers, as for example, an enterprise system running a plethora of computer applications.
In the following detailed description, reference is made to the accompanying drawings which form a part hereof, and in which is shown by way of illustration specific examples in which the disclosure may be practiced. It is to be understood that other examples may be utilized, and structural or logical changes may be made without departing from the scope of the present disclosure. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims. It is to be understood that features of the various examples described herein may be combined, in part or whole, with each other, unless specifically noted otherwise.
FIG. 1 is a functional block diagram illustrating one example of a system 100 for format preserving encryption of object code. System 100 is shown to include a processor 102, and a memory 104 storing instructions 106-110 to perform various functions of the system.
The term “system” may be used to refer to a single computing device or multiple computing devices that communicate with each other (e.g. via a network) and operate together to provide a unified service. In some examples, the components of system 100 may communicate with one another over a network. As described herein, the network may be any wired or wireless network, including a network of cloud computing resources, and may include any number of hubs, routers, switches, cell towers, and so forth. Such a network may be, for example, part of a cellular network, part of the internet, part of an intranet, and/or any other type of network.
Memory 104 may store instructions 106 to identify object code to be secured, where the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters. Generally, the code may be in structured form, and may need to be secured so as to prevent malicious use of the code. For example, object code comprises a sequence of instructions, each of which in turn may comprise a sequence starting with a valid opcode and continuing with zero or more parameters. An instruction may be represented as: OpCode, Parm1, Parm2, . . . , Parmn, where “Parm” denotes a parameter value. In some examples, the instructions 106 may include instructions to parse the object code to identify the list of instructions, along with respective opcodes and respective parameters.
In some examples, the instructions 106 may include instructions to identify an instruction format for the list of instructions. For example, one format is a Microprocessor without Interlocked Pipelined Stages (MIPS) format which is a reduced instruction set computer (RISC) instruction set. The MIPS instruction set provides machine code where each instruction is 32 bits long. Generally, the instruction is given by an operation code (opcode) field.
In some examples, the instruction format may be one of an R-type, an I-type, and a J-type instruction. An I-type instruction is an immediate instruction, and a J-type instruction is a jump instruction. Also, for example, R-type instructions are register instructions. In R-type, the object code has a structure that resembles opcode, register, register, register, and shift. In some examples, the R-type instructions may include an additional parameter, a function value funct, that determines an exact operation to be performed.
Memory 104 may store instructions 108 to apply a format preserving encryption (FPE) to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions. A format-preserving encryption function E may be applied to cryptographically obfuscate the list of instructions in a way that preserves their respective formats. For example, the function E may be applied to each instruction in turn, producing the sequence E(OpCode), E(Parm1), E(Parm2), . . . , E(Parmn), mapping the original opcode to another valid opcode, the original first parameter to another valid first parameter, and so forth. Determining the original object code from the encrypted source code may be as difficult as reversing the encryption operation E, which may be near impossible.
In some examples, the instructions 108 may include instructions to identify a sub-plurality of the list of instructions, where only the sub-plurality of the list of instructions needs to be secured. For example, certain instructions in the list of instructions may be directed to handling and/or processing sensitive information. Accordingly, these instructions may be encrypted, whereas the other instructions may be unencrypted.
As another example, some parameters may be representative of highly confidential data, and it may be necessary to secure such parameters. For example, for R-type instructions, a subset of all the fields may include sensitive information to be encrypted. For example, one or more registers, or the shift or the function value may be encrypted. Therefore, in some examples, it may be more cost effective to encrypt a portion of the object code.
Generally, as used herein, FPE is a mode of advanced encryption standard (AES) encryption. As an illustrative example, it may be an AES encryption as described by the NIST SP800-38G Standard and accepted by the PCI Security Standards Council (SSC) as strong encryption.
In some examples, the instructions 108 may include instructions to identify a computing architecture associated with the object code, and select the FPE to be compatible with the identified architecture. In some examples, system 100 may generate a call such as “FPE encrypt Intel instruction object code,” or “FPE encrypt MIPS instruction object code,” based on a computing architecture, where the call summons the correct encryption format that is compatible with the architecture.
Generally, the FPE may depend on the way the object code is parsed based on the specific architecture. In other words, the architecture may dictate the manner in which an instruction set is structured. In some examples, the FPE may depend on the encryption function, E, which may generally be selected based on the parsed object code. In some examples, the FPE may depend on a type of processor, and a class of opcode that is generated on the processor.
In some examples, the computing architecture may be based on processor speed, or connections between a central processing unit (CPU) and a memory. In some examples, the computing architecture may be a parallel or distributed architecture.
As an example, in systems related to the Internet of Things (IoT), the processor may be an Advanced RISC Machines (ARM) architecture. Also, for example, for desktop computers, the processor may be an Intel architecture.
In many instances, there are two general types of encryption algorithms—random and deterministic. In the case of a random algorithms, each encryption generates a different value. For example, when a name is encrypted, an encrypted output is generated along with a random (RAND) value that was used to encrypt the name. The RAND value may change each time an encryption algorithm is applied, so the encrypted output may vary each time the encryption algorithm is applied. To preserve a format and a referential integrity of a database where names are stored, non-random encryption is needed.
However, for a non-random encryption scheme, due to a lack of output variability, it may be possible to build a dictionary, and perform a table lookup to match the original name with the encrypted name. This would eliminate the need to decrypt. Accordingly, there is a need to introduce some randomness in a non-random encryption scheme. A tweak is a non-random value that may be used to give ciphertext variability. For example, in encrypting a hard disk, the encryption may be performed by mapping a sector to another sector, thereby preserving the format. In this example, the tweak may be a block number and sector number for the hard drive. Accordingly, upon application of an encryption algorithm, a different value may be obtained for a sector each time an encryption algorithm is applied to the sector. This provides a form of variability, while preserving the format.
A random value in a random encryption scheme is called an initialization vector (IV). A tweak is a way to use a non-random value to get the same property as when an IV is used. Although, a tweak is generally more complicated than an IV, the tweak provides the same type of security.
In some examples, the FPE may be deterministic, and the instructions 108 may include instructions to identify an offset into a file for each instruction of the list of instructions, and utilize the offset as a tweak for the deterministic encryption. By analogy to the hard disk example provided herein where the tweak is a block number and sector number, an object code has an offset into the file for each instruction. This non-random value may be utilized as the tweak.
Memory 104 may store instructions 110 to provide the encrypted object code to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code. As described herein, when the format of the object code is preserved during encryption, substantial cost savings may be achieved since existing systems continue to process the object code without additional modifications. For example, storage of the code, transmission of the code, execution of the code, so forth may be based on a specific format of the object code. Such processing systems expect the object code to be in a form comprising a specific format. Accordingly, when the encrypted object code is provided in the same format, the systems may be agnostic to the transformation of the underlying code, and continue to process the code without changes in processor logic or other systems configurations. Accordingly, existing systems are able to process the output code since the format may be preserved.
In some examples, the instructions 110 may include instructions to receive a decryption key from the service provider, confirm validity of the decryption key, and enable the service provider to execute the object code based on the valid decryption key to be applied to the encrypted object code. For example, the service provider may include a cryptographic process that decrypts the encrypted object code with the help of a key, and then executes the decrypted or original object code. So the encrypted object code is a valid code, but may only be executed if the service provider has access to the key that was used encrypt the object code.
In some examples, the object code may be a smart contract in a blockchain, and the instructions 110 may include instructions to store the encrypted smart contract in the blockchain. A blockchain, as used herein, generally refers to a distributed database that maintains a dynamic linked list of online records that are called blocks. The blocks are timestamped and arranged in a linked chain. The record may be that of a financial transaction between parties, and the blockchain records such transactions in an open accessible and verifiable manner.
A smart contract is a digital contractual clause that may be embedded in a blockchain to facilitate a financial transaction. Since the smart contract is a computer protocol, it is comprised of executable object code. Also, financial transactions may be of a sensitive nature. Accordingly, the technology described herein may be applied to the smart contract to generate an encrypted smart contract, which is then embedded in the blockchain. This prevents unauthorized access and use of the smart contract. An authorized user may use a decryption key to unlock the encryption and execute the smart contract. As a result, privacy of a smart contract may be preserved while allowing the smart contract to be executed as needed.
Generally, the components of system 100 may include programming and/or physical networks to be communicatively linked to other components of each respective system. In some instances, the components of each system may include a processor and a memory, while programming code is stored on that memory and is executable by a processor to perform designated functions.
Generally, the system components may be communicatively linked to computing devices. A computing device, as used herein, may be, for example, a web-based server, a local area network server, a cloud-based server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, a mobile phone, an electronic book reader, or any other electronic device suitable for provisioning a computing resource to perform a unified visualization interface. The computing device may include a processor and a computer-readable storage medium.
FIG. 2 is a flow diagram illustrating one example of a method for format preserving encryption of object code. In some examples, such an example method may be implemented by a system such as, for example, system 100 of FIG. 1. The method 200 may begin at block 202, and continue to end at block 212.
At 204, object code to be secured may be received.
At 206, the object code may be parsed to identify a list of instructions, where each instruction comprises an opcode and zero or more parameters.
At 208, a format preserving encryption (FPE) may be applied to the received object code, where the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions.
At 210, the encrypted object code may be provided to a service provider, where the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
In some examples, the method may include identifying an instruction format for the list of instructions.
In some examples, the method may include identifying a computing architecture associated with the object code, and selecting the FPE to be compatible with the identified architecture.
In some examples, the method may include receiving a decryption key from the service provider, confirming validity of the decryption key, and enabling the service provider to execute the object code based on the valid decryption key to be applied to the encrypted object code.
In some examples, the FPE is deterministic, and the method may include identifying an offset into a file for each instruction of the list of instructions, and utilizing the offset as a tweak for the deterministic encryption.
In some examples, the object code is a smart contract in a blockchain, and the method may include storing the encrypted smart contract in the blockchain.
FIG. 3 is a block diagram illustrating one example of a computer readable medium for format preserving encryption of object code. Processing system 300 includes a processor 302, a computer readable medium 304, input devices 306, and output devices 308. Processor 302, computer readable medium 304, input devices 306, and output devices 308 are coupled to each other through a communication link (e.g., a bus). In some examples, the non-transitory, computer readable medium 304 may store configuration data for the logic to perform the various functions of the processor 302.
Processor 302 executes instructions included in the computer readable medium 304 that stores configuration data for logic to perform the various functions. Computer readable medium 304 stores configuration data for logic 312 to identify a list of instructions in an object code to be secured, each instruction comprising an opcode and zero or more parameters.
Computer readable medium 304 stores configuration data for logic 314 to apply a format preserving encryption (FPE) to the received object code, where the FPE is applied separately to each instruction in the list of instructions, to generate an encrypted object code comprising a list of encrypted instructions.
Computer readable medium 304 stores configuration data for logic 316 to provide the encrypted object code to a service provider.
In some examples, the computer readable medium 304 stores configuration data for logic to enable execution of the object code based on a valid decryption key to be applied to the encrypted object code.
In some examples, the FPE is deterministic, and the computer readable medium 304 stores configuration data for logic to identify an offset into a file for each instruction of the list of instructions, and utilize the offset as a tweak for the deterministic encryption.
In some examples, the object code is a smart contract in a blockchain, and the computer readable medium 304 stores configuration data for logic to store the encrypted smart contract in the blockchain.
As used herein, a “computer readable medium” may be any electronic, magnetic, optical, or other physical storage apparatus to contain or store information such as executable instructions, data, and the like. For example, any computer readable storage medium described herein may be any of Random Access Memory (RAM), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., a hard drive), a solid state drive, and the like, or a combination thereof. For example, the computer readable medium 304 can include one of or multiple different forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage containers.
As described herein, various components of the processing system 300 are identified and refer to a combination of hardware and programming to perform a designated visualization function. As illustrated in FIG. 3, the programming may be processor executable instructions stored on tangible computer readable medium 304, and the hardware may include Processor 302 for executing those instructions. Thus, computer readable medium 304 may store program instructions that, when executed by Processor 302, implement the various components of the processing system 300.
Such computer readable storage medium or media is (are) considered to be part of an article (or article of manufacture). An article or article of manufacture can refer to any manufactured single component or multiple components. The storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.
Computer readable medium 304 may be any of a number of memory components capable of storing instructions that can be executed by processor 302. Computer readable medium 304 may be non-transitory in the sense that it does not encompass a transitory signal but instead is made up of memory components to store the relevant instructions. Computer readable medium 304 may be implemented in a single device or distributed across devices. Likewise, processor 302 represents any number of processors capable of executing instructions stored by computer readable medium 304. Processor 302 may be integrated in a single device or distributed across devices. Further, computer readable medium 304 may be fully or partially integrated in the same device as processor 302 (as illustrated), or it may be separate but accessible to that device and processor 302. In some examples, computer readable medium 304 may be a machine-readable storage medium.
The general techniques described herein provide a way to apply format preserving encryption to an object code. One benefit of the techniques described herein is that the format of the object code is preserved during encryption. This makes it useful for the encrypted object code to be processed in many legacy environments.
Although specific examples have been illustrated and described herein, there may be a variety of alternate and/or equivalent implementations that may be substituted for the specific examples shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the specific examples discussed herein.

Claims (18)

The invention claimed is:
1. A system comprising:
at least one processor; and
a non-transitory storage-medium storing instructions executable by the at least one processor to:
identify object code to be secured, wherein the object code comprises a list of instructions, each instruction comprising an opcode and zero or more parameters;
identify a computing architecture associated with the object code;
select a format preserving encryption (FPE) to be compatible with the identified computing architecture;
apply the FPE to the object code, wherein the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions; and
provide the encrypted object code to a service provider, wherein the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
2. The system of claim 1, comprising further instructions to parse the object code to identify the list of instructions, along with respective opcodes and respective parameters.
3. The system of claim 1, comprising further instructions to identify an instruction format for the list of instructions.
4. The system of claim 3, wherein the instruction format is one of an R-type, an I-type, and a J-type instruction.
5. The system of claim 1, wherein the computing architecture is based on a processor speed, or connections between a central processing unit (CPU) and a memory.
6. The system of claim 1, wherein the computing architecture is a parallel or distributed architecture.
7. The system of claim 1, comprising further instructions executable by the at least one processor to:
receive a decryption key from the service provider;
confirm a validity of the decryption key; and
enable the service provider to execute the object code based on the valid decryption key to be applied to the encrypted object code.
8. The system of claim 1, wherein the FPE is deterministic, and the system comprising further instructions executable by the at least one processor to:
identify an offset into a file for each instruction of the list of instructions; and
utilize the offset as a tweak for the deterministic FPE.
9. The system of claim 1, wherein the object code is a smart contract in a blockchain, and the system comprising further instructions executable by the at least one processor to store the encrypted smart contract in the blockchain.
10. A method performed by a system comprising a hardware processor, comprising:
receiving object code to be secured;
parsing the object code to identify a list of instructions, each instruction comprising an opcode and zero or more parameters;
identifying an instruction format for the list of instructions, wherein the instruction format is one of an R-type, an I-type, and a J-type instruction;
applying a format preserving encryption (FPE) to the received object code, wherein the FPE is applied separately to a sub-plurality of instructions in the list of instructions, to generate an encrypted object code comprising a sub-plurality of encrypted instructions; and
providing the encrypted object code to a service provider, wherein the encrypted object code comprises the sub-plurality of encrypted instructions, and any unencrypted portions of the object code.
11. The method of claim 10, further comprising:
identifying a computing architecture associated with the object code; and
selecting the FPE to be compatible with the identified computing architecture.
12. The method of claim 10, further comprising:
receiving a decryption key from the service provider;
confirming a validity of the decryption key; and
enabling the service provider to execute the object code based on the valid decryption key to be applied to the encrypted object code.
13. The method of claim 10, wherein the FPE is deterministic, and the method further comprising:
identifying an offset into a file for each instruction of the list of instructions; and
utilizing the offset as a tweak for the deterministic FPE.
14. The method of claim 10, wherein the object code is a smart contract in a blockchain, and the method further comprising storing the encrypted smart contract in the blockchain.
15. A non-transitory computer readable medium comprising executable instructions to:
identify a list of instructions in an object code to be secured, each instruction in the list of instructions comprising an opcode and zero or more parameters;
apply a format preserving encryption (FPE) to the object code, wherein the FPE is applied separately to each instruction in the list of instructions, to generate an encrypted object code comprising a list of encrypted instructions;
provide the encrypted object code to a service provider; and enable execution of the object code based on a valid decryption key to be applied to the encrypted object code.
16. The non-transitory computer readable medium of claim 15, wherein the FPE is deterministic, and comprising further instructions to:
identify an offset into a file for each instruction of the list of instructions; and
utilize the offset as a tweak for the deterministic FPE.
17. The non-transitory computer readable medium of claim 15, comprising further instructions to:
identify an instruction format for the list of instructions, wherein the instruction format is one of an R-type, an I-type, and a J-type instruction.
18. A non-transitory computer readable medium comprising executable instructions to:
identify a list of instructions in an object code to be secured, each instruction in the list of instructions comprising an opcode and zero or more parameters, wherein the object code is a smart contract in a blockchain;
apply a format preserving encryption (FPE) to the object code, wherein the FPE is applied separately to each instruction in the list of instructions, to generate an encrypted smart contract comprising a list of encrypted instructions;
provide the encrypted smart contract to a service provider; and
store the encrypted smart contract in the blockchain.
US15/496,287 2017-04-25 2017-04-25 Format preserving encryption of object code Active 2037-10-05 US10452564B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/496,287 US10452564B2 (en) 2017-04-25 2017-04-25 Format preserving encryption of object code

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/496,287 US10452564B2 (en) 2017-04-25 2017-04-25 Format preserving encryption of object code

Publications (2)

Publication Number Publication Date
US20180309569A1 US20180309569A1 (en) 2018-10-25
US10452564B2 true US10452564B2 (en) 2019-10-22

Family

ID=63854640

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/496,287 Active 2037-10-05 US10452564B2 (en) 2017-04-25 2017-04-25 Format preserving encryption of object code

Country Status (1)

Country Link
US (1) US10452564B2 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11797982B2 (en) 2017-01-06 2023-10-24 FirstBlood Technologies, Inc. Digital ledger authentication using address encoding
US10896418B2 (en) 2017-12-29 2021-01-19 Ebay Inc. Secure management of data files using a blockchain
US11139977B2 (en) * 2018-02-07 2021-10-05 Verasity Limited System and method for proof of view via blockchain
US12015712B2 (en) 2018-02-07 2024-06-18 Verasity Limited S.R.L. System and method for proof of view via blockchain
KR102170454B1 (en) * 2019-01-29 2020-10-28 주식회사 크로스앵글 Method for providing information on blockchain and device for performing the same
KR102002509B1 (en) * 2019-04-04 2019-07-22 주식회사 한국정보보호경영연구소 Privite blockchain system including notarizing center and notarial method thereof
CN110266467B (en) * 2019-05-31 2021-04-27 创新先进技术有限公司 Method and device for realizing dynamic encryption based on block height
US12198201B2 (en) 2019-12-11 2025-01-14 Data Vault Holdings, Inc. Platform and method for preparing a tax return
US12100025B2 (en) 2019-12-11 2024-09-24 Data Vault Holdings, Inc. Platform for management of user data
US20220129852A1 (en) * 2020-10-27 2022-04-28 Sap Se Cross-entity process collaboration service via secure, distributed ledger

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5603047A (en) * 1995-10-06 1997-02-11 Lsi Logic Corporation Superscalar microprocessor architecture
JP2006025436A (en) 1998-03-16 2006-01-26 Intertrust Technologies Corp Methods and apparatus for continuous control and protection of media content
US20060242702A1 (en) * 2005-04-26 2006-10-26 International Business Machines Corporation Method for fast decryption of processor instructions in an encrypted instruction power architecture
US7685214B2 (en) 2005-08-26 2010-03-23 International Business Machines Corporation Order-preserving encoding formats of floating-point decimal numbers for efficient value comparison
US20100211781A1 (en) * 2009-02-16 2010-08-19 Microsoft Corporation Trusted cloud computing and services framework
US20110022854A1 (en) * 2009-07-27 2011-01-27 Nagravision S.A. Processor-implemented method for ensuring software integrity
US20110103579A1 (en) 2009-10-30 2011-05-05 Martin Luther W Format preserving encryption systems for data strings with constraints
US20110280394A1 (en) * 2010-05-11 2011-11-17 Arcot, a CA Technologies company Format-Preserving Encryption Via Rotating Block Encryption
US20110307961A1 (en) * 2009-03-02 2011-12-15 Nxp B.V. Software protection
US8151110B2 (en) 2004-08-05 2012-04-03 Digital Keystone, Inc. Methods and apparatuses for configuring products
US20130007467A1 (en) 2011-06-29 2013-01-03 Divx, Llc Binding of cryptographic content using unique device characteristics with server heuristics
US20130168450A1 (en) 2011-12-30 2013-07-04 Clay W. von Mueller Format preserving cipher system and method
US20130232578A1 (en) 2012-03-02 2013-09-05 Apple Inc. Method and apparatus for obfuscating program source codes
US20140229742A1 (en) 2011-09-08 2014-08-14 Thomson Licensing Methods and devices for protecting digital objects through format preserving coding
US20150186296A1 (en) * 2013-09-06 2015-07-02 Michael Guidry Systems And Methods For Security In Computer Systems
US9177111B1 (en) * 2006-11-14 2015-11-03 Hitachi Global Storage Technologies Netherlands B.V. Systems and methods for protecting software
US20150326388A1 (en) 2012-06-29 2015-11-12 Penta Security Systems Inc. Generation and verification of alternate data having specific format
US9202079B2 (en) 2012-10-25 2015-12-01 Verisign, Inc. Privacy preserving data querying
US9208491B2 (en) 2007-01-16 2015-12-08 Voltage Security, Inc. Format-preserving cryptographic systems
US20160006703A1 (en) 2013-09-12 2016-01-07 International Business Machines Corporation Secure processing environment for protecting sensitive information
US20160182543A1 (en) 2014-12-22 2016-06-23 Christian Aabye Software tampering detection and reporting process
US9436525B2 (en) 2004-06-08 2016-09-06 Covia Labs, Inc. System method and model for social synchronization interoperability among intermittently connected interoperating devices
US9582332B2 (en) * 2012-08-31 2017-02-28 Intel Corporation Enabling a cloud to effectively assign workloads to servers
US9635011B1 (en) 2014-08-27 2017-04-25 Jonetix Corporation Encryption and decryption techniques using shuffle function
US20170177504A1 (en) * 2015-12-18 2017-06-22 Intel Corporation Instruction and Logic for Secure Instruction Execution Pipeline

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5603047A (en) * 1995-10-06 1997-02-11 Lsi Logic Corporation Superscalar microprocessor architecture
JP2006025436A (en) 1998-03-16 2006-01-26 Intertrust Technologies Corp Methods and apparatus for continuous control and protection of media content
US9436525B2 (en) 2004-06-08 2016-09-06 Covia Labs, Inc. System method and model for social synchronization interoperability among intermittently connected interoperating devices
US8151110B2 (en) 2004-08-05 2012-04-03 Digital Keystone, Inc. Methods and apparatuses for configuring products
US20060242702A1 (en) * 2005-04-26 2006-10-26 International Business Machines Corporation Method for fast decryption of processor instructions in an encrypted instruction power architecture
US7685214B2 (en) 2005-08-26 2010-03-23 International Business Machines Corporation Order-preserving encoding formats of floating-point decimal numbers for efficient value comparison
US9177111B1 (en) * 2006-11-14 2015-11-03 Hitachi Global Storage Technologies Netherlands B.V. Systems and methods for protecting software
US9208491B2 (en) 2007-01-16 2015-12-08 Voltage Security, Inc. Format-preserving cryptographic systems
US20100211781A1 (en) * 2009-02-16 2010-08-19 Microsoft Corporation Trusted cloud computing and services framework
US20110307961A1 (en) * 2009-03-02 2011-12-15 Nxp B.V. Software protection
US20110022854A1 (en) * 2009-07-27 2011-01-27 Nagravision S.A. Processor-implemented method for ensuring software integrity
US20110103579A1 (en) 2009-10-30 2011-05-05 Martin Luther W Format preserving encryption systems for data strings with constraints
US20110280394A1 (en) * 2010-05-11 2011-11-17 Arcot, a CA Technologies company Format-Preserving Encryption Via Rotating Block Encryption
US8948376B2 (en) 2010-05-11 2015-02-03 Ca, Inc. Format-preserving encryption via rotating block encryption
US20130007467A1 (en) 2011-06-29 2013-01-03 Divx, Llc Binding of cryptographic content using unique device characteristics with server heuristics
US20140229742A1 (en) 2011-09-08 2014-08-14 Thomson Licensing Methods and devices for protecting digital objects through format preserving coding
US20130168450A1 (en) 2011-12-30 2013-07-04 Clay W. von Mueller Format preserving cipher system and method
US20130232578A1 (en) 2012-03-02 2013-09-05 Apple Inc. Method and apparatus for obfuscating program source codes
US20150326388A1 (en) 2012-06-29 2015-11-12 Penta Security Systems Inc. Generation and verification of alternate data having specific format
US9582332B2 (en) * 2012-08-31 2017-02-28 Intel Corporation Enabling a cloud to effectively assign workloads to servers
US9202079B2 (en) 2012-10-25 2015-12-01 Verisign, Inc. Privacy preserving data querying
US20150186296A1 (en) * 2013-09-06 2015-07-02 Michael Guidry Systems And Methods For Security In Computer Systems
US20160006703A1 (en) 2013-09-12 2016-01-07 International Business Machines Corporation Secure processing environment for protecting sensitive information
US9635011B1 (en) 2014-08-27 2017-04-25 Jonetix Corporation Encryption and decryption techniques using shuffle function
US20160182543A1 (en) 2014-12-22 2016-06-23 Christian Aabye Software tampering detection and reporting process
US20170177504A1 (en) * 2015-12-18 2017-06-22 Intel Corporation Instruction and Logic for Secure Instruction Execution Pipeline

Non-Patent Citations (19)

* Cited by examiner, † Cited by third party
Title
Alghamdi et al; A Software Tool for Floating Point Interval Analysis with Improved Precision for Javascript-based Medical Applications; 2016 IEEE; pp. 659-662;Year: 2016.
Arnold; The Patriot Missile Failure; 1 page; Aug. 23, 2000.
Bellare, M. et al., Format-preserving Encryption, 2009 (25 pages).
DuBen et al; Benchmark Tests for Numerical Weather Forecasts on Inexact Hardware, American Meteorological Society; 2014, 21 pages;Year: 2014.
Dworkin, Morris, NIST Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, Mar. 2016 (28 pages).
Himangi, G., Code Protection and Obfuscation of net Software Using Crypto Obfuscator, Jul. 20, 2010 (6 pages).
https://www.comforte.com/products/protect/securdps/securdps-password-protection/-Securdata is Now a Core Part of Securdps, Mar. 4, 2016 (4 pages).
https://www.comforte.com/products/protect/securdps/securdps-password-protection/—Securdata is Now a Core Part of Securdps, Mar. 4, 2016 (4 pages).
https://www.voltage.com/technology/data-encryption/hpe-format-preserving-encryption/-Format-Preserving Encryption (FPE), DataMasking, Datatype Agnostic, Referential Integrity, HPE Security-Data Security, 2015 (5 pages).
https://www.voltage.com/technology/data-encryption/hpe-format-preserving-encryption/—Format-Preserving Encryption (FPE), DataMasking, Datatype Agnostic, Referential Integrity, HPE Security—Data Security, 2015 (5 pages).
IEEE Std 754-1985; ANSI, IEEE Standard for Binary Floating-Point Arithmetic; 20 pages;Year: 1985.
Kaplan et al; The Error in the Double Precision Representation of Julian Dates; AA Technical Note Feb. 2011; 4 pages;Year: 2011.
Kim, K. et al., Encoding of Korean Characters with Less Radix in Format-preserving Encryption, Dec. 17, 2015 (3 pages).
Liu, X. et al., Privacy-preserving Outsourced Calculation on Floating Point Numbers, Jun. 27, 2016 (17 pages).
Luther Martin, U.S. Appl. No. 15/496,282 entitled Format Preserving Encryption of Floating Point Data filed Apr. 25, 2017 (21 pages).
Luther Martin, U.S. Appl. No. 15/496,285 entitled Secure Representation Via a Format Preserving Hash Function filed Apr. 25, 2017 (24 pages).
U.S. Appl. No. 15/496,282, Notice of Allowance dated Mar. 27, 2019, pp. 1-4 and attachments.
Wikipedia, MIPS instruction set dated on or before Mar. 24, 2017 (22 pages).
Xie et al;Fast Lossless Compression of Seismic Floating-Point Data,2009; IEEE pp. 235-238;Year: 2009.

Also Published As

Publication number Publication date
US20180309569A1 (en) 2018-10-25

Similar Documents

Publication Publication Date Title
US10452564B2 (en) Format preserving encryption of object code
US11398899B2 (en) Data processing device and data processing method
US11921905B2 (en) Secure collaboration between processors and processing accelerators in enclaves
US10341091B2 (en) Secure memory storage
US10230529B2 (en) Techniques to secure computation data in a computing environment
US9858436B2 (en) Secure format-preserving encryption of data fields
KR101265099B1 (en) A Method For Software Security Treatment And A Storage Medium
US8036379B2 (en) Cryptographic processing
US20160094347A1 (en) Method and system for secure management of computer applications
US20240061790A1 (en) Locally-stored remote block data integrity
US9619658B2 (en) Homomorphically encrypted one instruction computation systems and methods
US11042652B2 (en) Techniques for multi-domain memory encryption
CN110855433B (en) Data encryption method and device based on encryption algorithm and computer equipment
CN111008094B (en) Data recovery method, device and system
US20230325516A1 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
US11783094B2 (en) System and method for providing protected data storage in data memory
US20230021749A1 (en) Wrapped Keys with Access Control Predicates
CN110138556A (en) Data processing equipment and data processing method
US8494169B2 (en) Validating encrypted archive keys
KR20180059217A (en) Apparatus and method for secure processing of memory data
US20210026935A1 (en) High performance compute ip encryption using unique set of application attributes
US20210173950A1 (en) Data sharing between trusted execution environments
EP4154135A1 (en) Method to secure computer code
EP3193274B1 (en) Secure memory storage
US20240184900A1 (en) System and method for providing protected data storage in data memory

Legal Events

Date Code Title Description
AS Assignment

Owner name: ENTIT SOFTWARE LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MARTIN, LUTHER;ROAKE, TIMOTHY;SIGNING DATES FROM 20170420 TO 20170421;REEL/FRAME:042145/0944

AS Assignment

Owner name: ENTIT SOFTWARE LLC, NORTH CAROLINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MARTIN, LUTHER;ROAKE, TIMOTHY;SIGNING DATES FROM 20170420 TO 20170421;REEL/FRAME:045982/0442

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

AS Assignment

Owner name: MICRO FOCUS LLC, CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:ENTIT SOFTWARE LLC;REEL/FRAME:050004/0001

Effective date: 20190523

STPP Information on status: patent application and granting procedure in general

Free format text: AWAITING TC RESP, ISSUE FEE PAYMENT VERIFIED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:MICRO FOCUS LLC;BORLAND SOFTWARE CORPORATION;MICRO FOCUS SOFTWARE INC.;AND OTHERS;REEL/FRAME:052294/0522

Effective date: 20200401

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:MICRO FOCUS LLC;BORLAND SOFTWARE CORPORATION;MICRO FOCUS SOFTWARE INC.;AND OTHERS;REEL/FRAME:052295/0041

Effective date: 20200401

AS Assignment

Owner name: NETIQ CORPORATION, WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062625/0754

Effective date: 20230131

Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), MARYLAND

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062625/0754

Effective date: 20230131

Owner name: MICRO FOCUS LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062625/0754

Effective date: 20230131

Owner name: NETIQ CORPORATION, WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062624/0449

Effective date: 20230131

Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062624/0449

Effective date: 20230131

Owner name: MICRO FOCUS LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062624/0449

Effective date: 20230131

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4